A Proposal of Metrics for Botnet Detection based on its Cooperative Behavior

The primary contribution of the penning is the proposal of terce metricals that can help direct the presence of botnets in a wide atomic number 18a network (WAN). The jutd metrics, namely relationship, response and synchronization are measured with note to the dealings over a WAN. It is untrue that the behavior of botnets will recurrently pose these metrics. The authors define relationship as the connection that exists between the bots and bot master of a botnet over one protocol. This metric tries to comment the structure of a botnets relationship by analyzing the network traffic.It is observed that the response clip to commands received by a legitimate host varies significantly while that of botnets is comparatively constant. The response cartridge holder as a metric can thus help detect botnets. As the bots present in a botnet are programmed to carry out instructions from the bot master on a predetermined basis, it is assumed that their activities will synchronize. An analysis of the network traffic can possible help post synchronized exercise between hosts, thus detective work botnets.The metrics are evaluated by analyzing traffic measured in the Asiatic Internet Interconnection Initiatives (AIII) infrastructure over a period of 24 hours. The analysis validates the metrics pro comprise as a dense topology relationship, short range of response times and synchronization of activities are detected in the presence of a botnet. The authors propose that a combination of all the metrics be use for detecting a botnet. The design of an algorithmic rule to detect botnets ground on a combination of the lead metrics has been identify as future work. thickset of IRC Traffic Analysis for Botnet DetectionThe paper addresses the line of detecting botnets by deterrent exampleing the behavior of botnets. The main idea of the paper is to analyze network traffic, model the behavior of botnets based on the analysis and use pattern recognition techniques to identify a ill-tempered behavior model as belonging to a botnet. The proposed model for detecting botnets analyses traffic that uses the IRC protocol. A traffic sniffer is used to analyze packets in the promiscuous mode. The protocol detector detects traffic using the protocol of stakes to the analysis, in this case IRC.The packets are decoded using the IRC decoder and the behavior models are built. The detection engine detects a botnet based on the behavior model. The features used to build a behavior model include features cerebrate to a linguistic analysis of the data that passes through an IRC channel in addition to the rate of bodily function in the channel. It is observed that the language used by bots has a limited vocabulary and uses many punctuation mark marks. The language used by humans is observed to have a wider mean and variance with respect to the words used in a sentence. The features used to model the behavior of botnets hare listed.The experiments have been c onducted with light data collected from chat rooms and botnet data collected at the Georgia Institute of Technology. excogitation recognition is performed using support vector machines (SVMs) and J48 decision trees and the results are reported in terms of surprise matrices. Though the botnets are detected using the above modes, the authors report that a further analysis of the data is necessary. Unsupervised testing of the model and expansion of the model for adaptation to other scenarios is proposed as future work. Summary of The Automatic Discovery, Identification and Measurement of BotnetsThe paper proposes a technique for identifying and measuring the botnets used to deliver malevolent email such as junk e-mail. The implementation and performance of the proposed technique has been presented. The authors are of the opinion that the existing methods for detecting botnets used to send email use significant amount of resources and are often applicable whole after a botnet has been operational over a period of time. The authors propose a passive method for identifying botnets by classifying the email marrow. The headers present in the emails are used to group the mails.The authors assume that a botnet has a central center for control and that the same program is used by a botnet for creating and direct spam emails. Based on these the authors propose to classify emails by a passive analysis of the header content present in them. The Plato algorithm is proposed to identify the sender and the program used to send the email. The performance of the Plato algorithm is analyzed based on the following factors clustering, durability, isolation and conflicts. The analysis is performed on a sample data containing 2. 3 million emails. In the dataset 96% emails are determine as having a probability of cosmos spam.The algorithm is observed to successfully reflect the features associated with spam email. It helps group the emails based on the characteristics of the sender and the sending program. This grouping of emails can help identify a botnet and thus enable the membership and size of the botnet. The authors propose that the algorithm can be further used for classifying bulk emails, to understand the relationship between spam and viruses and as a replacement for spam filters using statistical methods. Summary of Towards Practical Framework for roll up and Analyzing Network-Centric AttacksThe paper proposes a network-centric framework based on an awareness of risk of infection to help detect attacks from a botnet and prevent these attacks. The authors state that the bots follow certain network traffic patterns and these patterns can be used to identify a bot. The proposed framework consists of three main components, namely bot detection, bot characteristics and bot risks. The first component, bot detection, is used to detect known and mysterious bots that try to penetrate the system. A honeypot based malware collection system component is used to earn bots to the honeypot and thus help detect bots.After the bots have been detected the characteristics of the bots are analyzed. The behavior of bots and their characteristics are identified by analyzing known malware, network traffic patterns and detecting the existence of any correlation between respective(a) instances of a malware. Various components are used to perform each of the tasks involved in bot characterization. To determine the risks posed by bots, the vulnerabilities present in the existing system are identified. The risk posed by a host with certain characteristics is calculated based on the vulnerabilities associated with the system. Thus the risk factor can be modified on demand.A combination of the identified characteristics and the associated risks is evaluated when a decision regarding the blocking of traffic is made. The authors present results that picture the ability of the proposed framework to detect different types of bots. The feasibility of the proposed framework has been demonstrated. Enhancing of the correlation system and integration of the risk aware system with the architecture are proposed as future work. Summary of Wide-Scale Botnet Detection and Characterization The paper proposes a methodology based on passive analysis of the traffic flow data to detect and characterize botnets.A scalable algorithm that gives information about controllers of botnets is proposed based on analysis of data from the canalize layer. Four steps have been identified in the process of detecting botnet controllers. Suspicious behavior of hosts is identified and the conversations pertaining to this host are isolated for further evaluation. These are identified as suspected bots. Based on the records of suspected bots, the records that possible represent connections with a controller are isolated. This is referred to as candidate controller conversations in the paper.These candidate controller conversations are further analyzed to id entify suspected controllers of botnets. The analysis is based on calculating the following the number of unique suspected bots, distance between model traffic and the foreign server ports, heuristics that gives a score for candidates that are possible bot controllers. The suspected controllers are validated in three possible ways correlation with other available data sources, coordination with a customer for cogent evidence and validation of domain names associated with services (Karasaridis, Rexroad, & Hoeflin, 2007).The botnets are classified based on their characteristics using a analogy function. An algorithm is proposed for the same. The authors report the discovery of a large number of botnet controllers on using the proposed system. A fictitious positive of less than 2% is reported based on correlation of the detected controllers with other sources. withal the proposed algorithm is reported to successfully identify and malicious bots. The future work is identified as th e take up to expand the algorithm for other protocols and analysis of the evolution of botnets.References Akiyama, M. , Kawamoto, T. , Shimamura, M. , Yokoyama, T. , Kadobayashi Y. , & Yamaguchi, S. (2007). A proposal of metrics for botnet detection based on its cooperative behavior. proceeding of the 2007 International Symposium on Applications and the Internet Workshops. 82-85. Castle, I. , & Buckley, E. (2008). The automatic discovery, identification and measurement of botnets. proceedings of Second International league on Emerging Security Information, Systems and Technologies. 127-132. Karasaridis, A. , Rexroad, B., & Hoeflin, D. (2007). Wide-scale botnet detection and characterization. legal proceeding of the First Conference on First Workshop on Hot Topics in Understanding Botnets. 7-14. Mazzariello, C. (2008). IRC traffic analysis for botnet detection. Proceedings of Fourth International Conference on Information Assurance and Security. 318-323. Paxton, N. , Ahn, G-J. , Chu, B. (2007). Towards practical framework for collecting and analyzing network-centric attacks. Proceedings of IEEE International Conference on Information Reuse and Integration. 73-78.